After spending the last two days cleaning sites, I've switched hosts, moving to a VPS on cloud storage. The support is infinitely better, the system more secure. As soon as the DNS changes propagate, I'm outie.

Hi folks,
I've been called on to fix quiet a number of DreamHost hacked WordPress blogs and like to toss in a few real world observations.

1. Of the sites I've worked on and cleared of malware all were due to outdated WordPress blogs, templates, or plugins.

2. While it's somewhat apparent Dreamhost is being targeted, at least in my experience the errors have been at the "user" level, and not been due to an exploit within Dreamhost's servers (that is, just as likely to have happened had they been hosted elsewhere).

That said, if you maintain the latest version of WordPress, keep your plugins and theme updated it's likely you won't be hacked in future (or, very less likely I should say).

A few pointers:

1. Check for the old Timthumb vulnerabilty first.
Add the "Timthumb Vulnerability Scanner"
If you come up clean then go ahead and delete it.

2. Delete all inactive themes and plugins (NOW!).
Don't get me going on this one...

You can run a phpinfo yourself and see it's on for local. That page says it was disabled UNTIL 2008...which means it's now enabled by default. It's best imho to disable. Better to use curl anyways. allow_url_include is disabled though.

I'm happy that with 5.3 that DH allows me to custom php.ini as I prefer to disable certain functions like exec,system,filesystem,passthru,show_source,shell_exec,escapeshellarg,escapeshel​lcmd,popen, and proc_open. 5.3 is also running the suhosin patch which is helpful. I've totally beefed up my security all day yesterday. I should be good for a while. But I'm still working to fix 2-3 sites which are offline due to compatibility problems and needed updates.

(02-22-2012 08:24 AM)sXi Wrote: Blocking access from BurstNET servers would be a good start:

deny from 46.17.
deny from 64.191.
deny from 66.96.
deny from 66.197.
deny from 77.88.
deny from 81.199.
deny from 82.61.
deny from 92.72.
deny from 94.229.
deny from 96.9.
deny from 137.82.
deny from 157.55.
deny from 173.212.
deny from 180.76.
deny from 184.82.
deny from 208.115.

Could you please dicribe in more detail the process that I would go through to bock the above sites, I'm quite new to this and don't follow you

(03-02-2012 12:51 PM)johnyct9760 Wrote: Could you please dicribe in more detail the process that I would go through to bock the above sites, I'm quite new to this and don't follow you

thank you

Johny,

I've written a description of exactly this in repairitblog.org look under the heading 'hardening dreamhost' and you'll find a .htaccess overview and a description of good .htaccess commands and a discussion of banning individual users and ranges of user.

let me know if you have any questions, you can comment on the repairit blog or PM me here if you want

So, i'm not sure if we have been hacked because most of the website down are wordpress (last version - no 1click install).

I found anybody with the same problem searching on Twitter ou Google... Do you think I can't test anything else to be sure ?

PS: I opened a DH support ticket few hours ago and still no answer + I commented this morning issue with "port-au-prince" server with my problem on DH Status Blog. Oscar answered : "The admin team however is working on your mysql server" so it's maybe a clue...

Add me to the list of people who got hit with 'eval(base64_decode...' hack.
About 6 out of 10 WP sites got hit in different accounts, different users.

All of my WP installs and plugins were up to date. Only items that were not up to date were some of the extra themes DH included with the one-click installs.

I want to thank the early posters in this thread. (It would be nice if folks stayed on subject and didn't bicker about who's 'fault' this is. I'm not ready to point fingers, I just needed to get things fixed.)